The KeywordDetector plugin doesn't detect secrets which start with a symbol. The comments in keyword.py say it will "find secrets that starts with symbols or alphanumeric characters". That used to work, but a change made in #442 to address a performance problem broke this. After that change it only finds secrets which start with word characters (\w): letters, digits, or underscore.
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem
Create a file leading_symbol.properties:
# KeywordDetector does not find this secret:
a_password = +eTxoi3271x
# It does find this secret:
b_password = eTxoi3271x+
detect-secrets and detect-secrets-hook only find the second secret, don't find the secret with a leading symbol:
% detect-secrets-hook leading_symbol.properties
ERROR: Potential secrets about to be committed to git repo!
Secret Type: Secret Keyword
Location: leading_symbol.properties:4
Possible mitigations:
- For information about putting your secrets in a safer place, please ask in
#security
- Mark false positives with an inline `pragma: allowlist secret`
comment
If a secret has already been committed, visit
https://help.github.com/articles/removing-sensitive-data-from-a-repository
What is the expected behavior?
KeywordDetector should find secrets that start with a symbol.
I'm submitting a ...
What is the current behavior?
The KeywordDetector plugin doesn't detect secrets which start with a symbol. The comments in keyword.py say it will "find secrets that starts with symbols or alphanumeric characters". That used to work, but a change made in #442 to address a performance problem broke this. After that change it only finds secrets which start with word characters (
\w): letters, digits, or underscore.Create a file
leading_symbol.properties:detect-secrets and detect-secrets-hook only find the second secret, don't find the secret with a leading symbol:
KeywordDetector should find secrets that start with a symbol.